Re: [squid-users] sslproxyflags DONT_VERIFY_PEER

[Bruce Rosenberg]

First run the command I mentioned to ensure openssl can verify the full
chain for Yahoo.

$ openssl s_client -connect www.yahoo.com:443 </dev/null

If that fails at any depth then check the default certificate directory
compiled into openssl

$ openssl version -d


If the directory is not /usr/ssl or /usr/ssl/certs then you need to tell
openssl to use that directory.

$ openssl s_client -connect www.yahoo.com:443  -CApath
/usr/ssl/certs </dev/null

If this verifies OK then you have to tell squid to pass the same parameter
to openssl with the following config option.

sslproxy_capath /usr/ssl/certs


You also may need to rehash your ssl cert directory.

This command should spit out the subject hash of the root cert.
$ openssl x509 -in
/usr/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
-noout -subject_hash
415660c1

You should have a corresponding symlink in the /usr/ssl/certs directory
that looks something like this.

$ ls -la 415660c1.*
lrwxrwxrwx 1 root root 97 Jul  5 20:27 415660c1.0 ->
../../ca-certificates/extracted/cadir/Verisign_Class_3_Public_Primary_Certification_Authority.pem

If you don't have a symlink that matches the subject hash then rehash the
directory like so as root
# c_rehash /usr/ssl/certs.

If the hash symlink doesn't exist then openssl's verify functions will fail.




On Thu, Aug 4, 2016 at 12:29 PM, Stanford Prescott <stan.presc...@gmail.com>
wrote:

> That would explain the error if the Verisign Class 3 public root CA were
> missing. However, our Smoothwall Express OS has all the standard root CAs
> package found in /usr/ssl/certs. Do I need to tell squid where to find
> those certs? If so, what config directive would I use for that?
>
> Thanks!
>
> On Wed, Aug 3, 2016 at 8:05 PM, Bruce Rosenberg <
> bruce.rosenberg...@gmail.com> wrote:
>
>> It looks like you are missing the Verisign Class 3 Public Primary Root
>> cert.
>> Notice the certificate chain list below.
>> Yahoo correctly send back all intermediate certificates in the TLS
>> handshake so the only certificate you need to make sure squid trusts (via
>> openssl) is the Verisign root.
>>
>> You should be able to determine if the openssl client on the squid proxy
>> can verify the complete chain by running the following command on the proxy.
>> The important part is that at each step it outputs "verify return: 1"
>> meaning that the certificate at that depth in the chain was successfully
>> verified by it's issuing certificate i.e. the certificate at the previous
>> higher level depth that we have already established we trust.
>> The root certificate is automagically verified by virtue of being
>> explicitly trusted by your openssl.
>>
>>
>> $ openssl s_client -connect www.yahoo.com:443 </dev/null
>>
>>                                       ⏎
>> CONNECTED(00000003)
>> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify return:1
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5
>> verify return:1
>> depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN
>> = Symantec Class 3 Secure Server CA - G4
>> verify return:1
>> depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU =
>> Information Technology, CN = www.yahoo.com
>> verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information
>> Technology/CN=www.yahoo.com
>>    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>> Class 3 Secure Server CA - G4
>>  1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
>> Class 3 Secure Server CA - G4
>>    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>>  2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>>    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>>
>> On Thu, Aug 4, 2016 at 9:51 AM, Stanford Prescott <
>> stan.presc...@gmail.com> wrote:
>>
>>> Okay, it's not a name of the cert problem.
>>>
>>> I turned on extra debug info to see what I get when I remove the
>>> DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This
>>> is what I got in the cache.log. I only see a couple of lines about a
>>> certificate error. Sorry this is long but I didn't know what to include so
>>> I just included everything for that one access attempt.
>>>
>>> *2016/08/03 18:12:16.701 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
>>> query ARP table*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
>>> query ARP on each interface (128 found)*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface lo*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface eth2*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>>> looking up ARP address for 10.40.40.110 on eth2*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface eth1*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>>> looking up ARP address for 10.40.40.110 on eth1*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
>>> got address 08:00:27:29:24:4a on eth1*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>>> *2016/08/03 18:12:16.702 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking slow rules*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rules)*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0is not banned*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> localhostgreen*
>>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
>>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
>>> (10.40.40.110:49732 <http://10.40.40.110:49732>)  vs
>>> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:49732 <http://10.40.40.110:49732>' NOT found*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>>> localhostgreen = 0*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/3is not banned*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s1_connect*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s1_connect = 1*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 1*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rules) = 1*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer ALLOWED for match*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>>> *2016/08/03 18:12:16.702 kid1| 33,2| client_side.cc(3909)
>>> httpsSslBumpAccessCheckDone: sslBump needed for local=52.34.245.108:443
>>> <http://52.34.245.108:443> remote=10.40.40.110:49732
>>> <http://10.40.40.110:49732> FD 14 flags=33 method 3*
>>> *2016/08/03 18:12:16.702 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa214d28 checking slow rules*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0is not banned*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access#1*
>>> *2016/08/03 18:12:16.702 kid1| 28,5| Acl.cc(138) matches: checking
>>> SWE_subnets*
>>> *2016/08/03 18:12:16.702 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>>> 192.168.192.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>>> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>>> *2016/08/03 18:12:16.703 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:49732/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>>> <http://10.40.40.110:49732/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>>> (10.40.40.0:49732 <http://10.40.40.0:49732>)  vs
>>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>>> SWE_subnets = 1*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access#1 = 1*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access = 1*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa214d28 answer ALLOWED for match*
>>> *2016/08/03 18:12:16.703 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:16.703 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking slow rules*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rules)*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0 is  banned*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/3is not banned*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s1_connect*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s1_connect = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/6is not banned*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s2_client_hello*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s2_client_hello = 1*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_to_splice*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_allowed_hsts*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
>>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:tiles.services.mozilla.com
>>> <http://tiles.services.mozilla.com> <>  .akamaihd.net <http://akamaihd.net>*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
>>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'none'*
>>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>>> found*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_allowed_hsts = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_server_is_bank*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>'*
>>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:tiles.services.mozilla.com
>>> <http://tiles.services.mozilla.com> <>  .wellsfargo.com
>>> <http://wellsfargo.com>*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match:
>>> 'tiles.services.mozilla.com <http://tiles.services.mozilla.com>' NOT found*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'none'*
>>> *2016/08/03 18:12:16.704 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:none <>  .wellsfargo.com
>>> <http://wellsfargo.com>*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>>> found*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_server_is_bank = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_to_splice = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/4is not banned*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s2_client_hello*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s2_client_hello = 1*
>>> *2016/08/03 18:12:16.704 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:16.704 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 1*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rules) = 1*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer ALLOWED for match*
>>> *2016/08/03 18:12:16.704 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>>> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
>>> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
>>> *2016/08/03 18:12:16.704 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:16.704 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:16.869 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking fast rules*
>>> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(346) fastCheck:
>>> aclCheckFast: list: 0x9de0a80*
>>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
>>> sslproxy_cert_error*
>>> *2016/08/03 18:12:16.870 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'DENIED/0is not banned*
>>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking
>>> sslproxy_cert_error#1*
>>> *2016/08/03 18:12:16.870 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:16.870 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:49732/[:
>>> <http://10.40.40.110:49732/%5B:>:] ([::]:49732)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:16.870 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:49732 <http://10.40.40.110:49732>' found*
>>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
>>> sslproxy_cert_error#1 = 1*
>>> *2016/08/03 18:12:16.870 kid1| 28,3| Acl.cc(158) matches: checked:
>>> sslproxy_cert_error = 1*
>>> *2016/08/03 18:12:16.870 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer DENIED for match*
>>> *2016/08/03 18:12:16.870 kid1| Error negotiating SSL on FD 16:
>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>> failed (1/-1/0)*
>>> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xbf950b68 checking fast ACLs*
>>> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
>>> cache_access_log stdio:/var/log/squid/access.log*
>>> *2016/08/03 18:12:16.871 kid1| 28,5| Acl.cc(138) matches: checking
>>> (cache_access_log stdio:/var/log/squid/access.log line)*
>>> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>>> *2016/08/03 18:12:16.871 kid1| 28,3| Acl.cc(158) matches: checked:
>>> cache_access_log stdio:/var/log/squid/access.log = 1*
>>> *2016/08/03 18:12:16.871 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xbf950b68 answer ALLOWED for match*
>>> *2016/08/03 18:12:16.871 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
>>> *2016/08/03 18:12:16.871 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
>>> *2016/08/03 18:12:16.998 kid1| 33,2| client_side.cc(816) swanSong:
>>> local=52.34.245.108:443 <http://52.34.245.108:443>
>>> remote=10.40.40.110:49732 <http://10.40.40.110:49732> flags=33*
>>> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xbf950c28 checking fast ACLs*
>>> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
>>> cache_access_log stdio:/var/log/squid/access.log*
>>> *2016/08/03 18:12:16.998 kid1| 28,5| Acl.cc(138) matches: checking
>>> (cache_access_log stdio:/var/log/squid/access.log line)*
>>> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>>> *2016/08/03 18:12:16.998 kid1| 28,3| Acl.cc(158) matches: checked:
>>> cache_access_log stdio:/var/log/squid/access.log = 1*
>>> *2016/08/03 18:12:16.998 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xbf950c28 answer ALLOWED for match*
>>> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
>>> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
>>> *2016/08/03 18:12:16.998 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:16.998 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(178) lookup: id=0xa2064b0
>>> query ARP table*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(222) lookup: id=0xa2064b0
>>> query ARP on each interface (128 found)*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface lo*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface eth2*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>>> looking up ARP address for 10.40.40.110 on eth2*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(228) lookup: id=0xa2064b0
>>> found interface eth1*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(237) lookup: id=0xa2064b0
>>> looking up ARP address for 10.40.40.110 on eth1*
>>> *2016/08/03 18:12:21.031 kid1| 28,4| Eui48.cc(280) lookup: id=0xa2064b0
>>> got address 08:00:27:29:24:4a on eth1*
>>> *2016/08/03 18:12:21.032 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>>> *2016/08/03 18:12:21.032 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking slow rules*
>>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access*
>>> *2016/08/03 18:12:21.054 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0is not banned*
>>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access#1*
>>> *2016/08/03 18:12:21.054 kid1| 28,5| Acl.cc(138) matches: checking
>>> SWE_subnets*
>>> *2016/08/03 18:12:21.054 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:40595/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>>> <http://10.40.40.110:40595/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>>> (10.40.40.0:40595 <http://10.40.40.0:40595>)  vs
>>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:40595 <http://10.40.40.110:40595>' found*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>>> SWE_subnets = 1*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access#1 = 1*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access = 1*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.054 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950198*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950198*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9502cc*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf9502cc*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94f87c*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf94f87c*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.054 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.101 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf9509dc*
>>> *2016/08/03 18:12:21.102 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf9509dc*
>>> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xbf950ae8 checking fast ACLs*
>>> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
>>> cache_access_log stdio:/var/log/squid/access.log*
>>> *2016/08/03 18:12:21.150 kid1| 28,5| Acl.cc(138) matches: checking
>>> (cache_access_log stdio:/var/log/squid/access.log line)*
>>> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>>> *2016/08/03 18:12:21.150 kid1| 28,3| Acl.cc(158) matches: checked:
>>> cache_access_log stdio:/var/log/squid/access.log = 1*
>>> *2016/08/03 18:12:21.150 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xbf950ae8 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.150 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950ae8*
>>> *2016/08/03 18:12:21.150 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950ae8*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(178) lookup: id=0xa224638
>>> query ARP table*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(222) lookup: id=0xa224638
>>> query ARP on each interface (128 found)*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>>> found interface lo*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>>> found interface eth2*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
>>> looking up ARP address for 10.40.40.110 on eth2*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(228) lookup: id=0xa224638
>>> found interface eth1*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(237) lookup: id=0xa224638
>>> looking up ARP address for 10.40.40.110 on eth1*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Eui48.cc(280) lookup: id=0xa224638
>>> got address 08:00:27:29:24:4a on eth1*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950dec*
>>> *2016/08/03 18:12:21.171 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950dec*
>>> *2016/08/03 18:12:21.171 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking slow rules*
>>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rules)*
>>> *2016/08/03 18:12:21.171 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0is not banned*
>>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:21.171 kid1| 28,5| Acl.cc(138) matches: checking
>>> localhostgreen*
>>> *2016/08/03 18:12:21.171 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
>>> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%5D>
>>> (10.40.40.110:35474 <http://10.40.40.110:35474>)  vs
>>> 10.40.40.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:35474 <http://10.40.40.110:35474>' NOT found*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> localhostgreen = 0*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/3is not banned*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s1_connect*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s1_connect = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rules) = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>>> *2016/08/03 18:12:21.172 kid1| 33,2| client_side.cc(3909)
>>> httpsSslBumpAccessCheckDone: sslBump needed for local=98.138.253.109:443
>>> <http://98.138.253.109:443> remote=10.40.40.110:35474
>>> <http://10.40.40.110:35474> FD 18 flags=33 method 3*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa214d28 checking slow rules*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0is not banned*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>>> http_access#1*
>>> *2016/08/03 18:12:21.172 kid1| 28,5| Acl.cc(138) matches: checking
>>> SWE_subnets*
>>> *2016/08/03 18:12:21.172 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare:
>>> 10.40.40.110:35474/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
>>> <http://10.40.40.110:35474/%5Bffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00%5D>
>>> (10.40.40.0:35474 <http://10.40.40.0:35474>)  vs
>>> 10.40.40.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> SWE_subnets = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access#1 = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Acl.cc(158) matches: checked:
>>> http_access = 1*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa214d28 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.172 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa214d28 answer=ALLOWED*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fc08*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fc08*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf94fd3c*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf94fd3c*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa214d28*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa214d28*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.172 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking slow rules*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rules)*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/0 is  banned*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/3is not banned*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s1_connect*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s1_connect = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/6is not banned*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s2_client_hello*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s2_client_hello = 1*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_to_splice*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_allowed_hsts*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'www.yahoo.com <http://www.yahoo.com>'*
>>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
>>>  .akamaihd.net <http://akamaihd.net>*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
>>> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'none'*
>>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:none <>  .akamaihd.net <http://akamaihd.net>*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>>> found*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_allowed_hsts = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_server_is_bank*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'www.yahoo.com <http://www.yahoo.com>'*
>>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:www.yahoo.com <http://www.yahoo.com> <>
>>>  .wellsfargo.com <http://wellsfargo.com>*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match:
>>> 'www.yahoo.com <http://www.yahoo.com>' NOT found*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(42) match: checking
>>> 'none'*
>>> *2016/08/03 18:12:21.173 kid1| 28,7| ServerName.cc(32)
>>> aclHostDomainCompare: Match:none <>  .wellsfargo.com
>>> <http://wellsfargo.com>*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
>>> found*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_server_is_bank = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_to_splice = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 0*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'ALLOWED/4is not banned*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> (ssl_bump rule)*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking
>>> tls_s2_client_hello*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> tls_s2_client_hello = 1*
>>> *2016/08/03 18:12:21.173 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:21.173 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rule) = 1*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (ssl_bump rules) = 1*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.173 kid1| 28,3| Checklist.cc(163) checkCallback:
>>> ACLChecklist::checkCallback: 0xa210ad8 answer=ALLOWED*
>>> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf95080c*
>>> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf95080c*
>>> *2016/08/03 18:12:21.173 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.173 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xa210ad8 checking fast rules*
>>> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(346) fastCheck:
>>> aclCheckFast: list: 0x9de0a80*
>>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
>>> sslproxy_cert_error*
>>> *2016/08/03 18:12:21.278 kid1| 28,5| Checklist.cc(400) bannedAction:
>>> Action 'DENIED/0is not banned*
>>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking
>>> sslproxy_cert_error#1*
>>> *2016/08/03 18:12:21.278 kid1| 28,5| Acl.cc(138) matches: checking all*
>>> *2016/08/03 18:12:21.278 kid1| 28,9| Ip.cc(95) aclIpAddrNetworkCompare:
>>> aclIpAddrNetworkCompare: compare: 10.40.40.110:35474/[:
>>> <http://10.40.40.110:35474/%5B:>:] ([::]:35474)  vs [::]-[::]/[::]*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp:
>>> '10.40.40.110:35474 <http://10.40.40.110:35474>' found*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked: all =
>>> 1*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
>>> sslproxy_cert_error#1 = 1*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Acl.cc(158) matches: checked:
>>> sslproxy_cert_error = 1*
>>> *2016/08/03 18:12:21.278 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xa210ad8 answer DENIED for match*
>>> *2016/08/03 18:12:21.278 kid1| Error negotiating SSL on FD 20:
>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>> failed (1/-1/0)*
>>> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xbf950b68 checking fast ACLs*
>>> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
>>> cache_access_log stdio:/var/log/squid/access.log*
>>> *2016/08/03 18:12:21.279 kid1| 28,5| Acl.cc(138) matches: checking
>>> (cache_access_log stdio:/var/log/squid/access.log line)*
>>> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>>> *2016/08/03 18:12:21.279 kid1| 28,3| Acl.cc(158) matches: checked:
>>> cache_access_log stdio:/var/log/squid/access.log = 1*
>>> *2016/08/03 18:12:21.279 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xbf950b68 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.279 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950b68*
>>> *2016/08/03 18:12:21.279 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950b68*
>>> *2016/08/03 18:12:21.331 kid1| 33,2| client_side.cc(816) swanSong:
>>> local=98.138.253.109:443 <http://98.138.253.109:443>
>>> remote=10.40.40.110:35474 <http://10.40.40.110:35474> flags=33*
>>> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(70) preCheck:
>>> 0xbf950c28 checking fast ACLs*
>>> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
>>> cache_access_log stdio:/var/log/squid/access.log*
>>> *2016/08/03 18:12:21.331 kid1| 28,5| Acl.cc(138) matches: checking
>>> (cache_access_log stdio:/var/log/squid/access.log line)*
>>> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
>>> (cache_access_log stdio:/var/log/squid/access.log line) = 1*
>>> *2016/08/03 18:12:21.331 kid1| 28,3| Acl.cc(158) matches: checked:
>>> cache_access_log stdio:/var/log/squid/access.log = 1*
>>> *2016/08/03 18:12:21.331 kid1| 28,3| Checklist.cc(63) markFinished:
>>> 0xbf950c28 answer ALLOWED for match*
>>> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbf950c28*
>>> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xbf950c28*
>>> *2016/08/03 18:12:21.331 kid1| 28,4| FilledChecklist.cc(66)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xa210ad8*
>>> *2016/08/03 18:12:21.331 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0xa210ad8*
>>>
>>>
>>> The web browser error says:
>>> "Failed to establish a secure connection to (a yahoo.com IP address was
>>> here)"
>>> and another message of "(71) Protocol error (TLS code:
>>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)"
>>> and "Certificate issuer (CA) not known".
>>>
>>> On Wed, Aug 3, 2016 at 4:12 PM, Stanford Prescott <
>>> stan.presc...@gmail.com> wrote:
>>>
>>>> Thanks for the info, Alex. That's very helpful about cleaning up my
>>>> ACLs. Those ACLs are a collection of ACLs that others have suggested I use,
>>>> but it would be nice to make them less confusing for me.
>>>>
>>>> With my limited understanding of how sslbump works, the idea for squid
>>>> to play MITM is that a self-signed cert like squidCA.der is imported to a
>>>> browser's root CAs. I have left a copy of the self-signed cert named
>>>> squidCA.pem in the squid's cert directory which only works if squid is told
>>>> to not verify the peer. When following the instructions how to generate the
>>>> self-signed cert with openssl, the .pem file must be converted to a .der
>>>> file for the browser to accept it. It just dawned on me that, could this be
>>>> related to the fact that the squid self-signed certs are not named the 
>>>> same?
>>>>
>>>> On Wed, Aug 3, 2016 at 3:01 PM, Alex Rousskov <
>>>> rouss...@measurement-factory.com> wrote:
>>>>
>>>>> On 08/03/2016 08:45 AM, Stanford Prescott wrote:
>>>>>
>>>>> > ssl_bump none localhostgreen
>>>>> > ssl_bump peek tls_s1_connect all
>>>>> > ssl_bump splice tls_s2_client_hello tls_to_splice
>>>>> > ssl_bump stare tls_s2_client_hello all
>>>>> > ssl_bump bump tls_s3_server_hello all
>>>>>
>>>>> AFAICT, the above is too complex. You can simplify it with:
>>>>>
>>>>>   ssl_bump splice localhostgreen
>>>>>   ssl_bump peek tls_s1_connect
>>>>>   ssl_bump splice tls_to_splice
>>>>>   ssl_bump stare all
>>>>>   ssl_bump bump all
>>>>>
>>>>> and, after polishing your ACLs a little, possibly even with:
>>>>>
>>>>>   ssl_bump splice transactions_to_splice
>>>>>   ssl_bump peek tls_s1_connect
>>>>>   ssl_bump stare all
>>>>>   ssl_bump bump all
>>>>>
>>>>> where transactions_to_splice is "localhostgreen or (tls_s2_client_hello
>>>>> and tls_to_splice)".
>>>>>
>>>>>
>>>>> As for your original question, I recommend figuring out why Squid
>>>>> cannot
>>>>> verify the peer. For example, your setup might be missing fresh
>>>>> certificates for some well-known Root CAs. I do not know a good way to
>>>>> figure out why peer verification does not work, but analyzing cache.log
>>>>> with high-enough debugging level should be doable, especially if you
>>>>> can
>>>>> reproduce the problem using a single transaction:
>>>>>
>>>>>
>>>>> http://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>>>>
>>>>>
>>>>> HTH,
>>>>>
>>>>> Alex.
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users